CS449/649 : Computer and Internet Forensics

Course Syllabus

Spring, 2023

(MW, 10-11:15; TBE B-178)


Prof. Hal Berghel; office: TBE B-378A; phone: 702-895-2441;

pick one: {hal.berghel \\unlvdomain, hlb \ \acm/ /org, hlb \ \computer/ /org }

office hours: Monday-Friday - 8:30 am to 9:50 am and by appointment.

Graduate Assistant: Matthew Yapjoco, matt.unlv.ta -at- gmail.com



General notes:

  1. The Syllabus for this course will be maintained on the instructor's website at www.berghel.net/sat
  2. The assigned readings will come from online resources.  URLs for the readings will be listed in the syllabus under "reading assignments." Note that reading assignments are for the current syllabus entry (i.e., read the assignment for the next class ahead of class). Exam questions regarding the assigned readings will be taken from the course Study Guide. the value of which will be clearly indicated on the assignment.
    1. The current UNLV policies that govern instruction are posted on the website of the The Office of the Executive Vice President and Provost at http://provost.unlv.edu/policies.html. Pay special attention to the semester memo under "S".
    2. In addition, please familiarize yourself with the following:
      1. Writing Center Statement
      2. Tutoring Availability
    3. UNLV information that might be of interest
      1. UNLV 2021 safety report
      2. UNLV campus police crime log
      3. UNLV Institutional Metrics
    4. Covid Information: no recent updates
  4. Regarding submitted projects and reports, relevant published online or offline resources are acceptable references. Quotation according to the principles of "fair use" under the U.S. Copyright laws apply. i.e., quoting and identifying a source is acceptable, plagiarizing a source is not. Any student found to have plagiarized will receive an "F" for the assignment in the first occurrence, and will receive an "F" in the course on the second occurrence. If you have any questions about this policy, consult with the instructor.
  5. I change the syllabus frequently (sometimes daily) based on the feedback on, and pace of, the lectures. As a result, the syllabus will typically lead the lectures by at most 2-3 class periods. An exception to this will be the three class periods prior to an exam. In this case, the class content will be frozen well in advance so that you know what material will be covered on the test.
  6. GRADING SCALE: Grading will be on a standard "university scale," i.e., 90-100=A; 80-89=B; etc. I curve the exams so that the mean is always at least 75%. The contribution of exams, homework, projects, etc. will vary but will be explained in the syllabus at the time of assignment.
  7. There will be one or two in-class exams and a final exam. Your grade will be based on these exams with the caveat in note 11., below.
  8. All Exams will be "closed everything": e.g., "closed book," "closed notes," PDAs and computers turned off, cell phones off, etc. Any student caught with an active mobile device during an exam will receive a grade of F for the exam. Any student caught with an active mobile device during an exam for a second time will receive a grade of F for the course.\
  9. ATTENDANCE will be taken. Perfect attendance (i.e., no missed classes, attendance for full class periods, as determined by the attendance sheet circulated in class) will be rewarded with an course grade increase of 1/2 letter grade - e.g., B would be raised to B+. B+ raised to A, etc.)
  10. In addition to any exams, homework, and quizzes that may be assigned, students registering for CS649 will be required to complete a semester project the details of which must be agreed upon no later than class time, Monday, on the 4th week of term. You may submit a proposal via email or meet in person to discuss, as you choose. (As a general goal, assume 3,500 word report with complete references in whatever standard format you choose (Chicago, APA, MLA, etc. This report is due at the start of the final exam period.)

Course Description:

Basics of Computer Forensics and Internet Forensics. How to protect your privacy on the internet: E-mail, obfuscation, web sites and servers. Encryption, data hiding, and hostile code. Investigating Windows and Unix. Technical and legal issues regarding digital evidence collection and forensics analysis. Prerequisites: CS202 and junior standing. 3 credits.

Course Materials:

  1. Most reading assignments will either relate directly to the course notes/slides provided on this syllabus, or will be public domain material linked to this syllabus. In addition, you may find the following resources of value.
    1. SANS Resources
      1. SANS IPv4 TCP/IP and tcpdump Pocket Reference Guide
      2. SANS IPv4 TCP/IP and tcpdump Pocket Reference Guide (The version that will be attached to relevant exams)
      3. SANS IPv6 TCP/IP and tcpdump Pocket Reference Guide
      4. SANS Memory Forensics Cheat Sheet
      5. SANS Malware FAQs
      6. SANS Netcat Cheat Sheet
      7. SANS Google Cheat Sheet
      8. SANS IT Code of Ethics
      9. Lenny Zeltser's Reverse Engineering Malware FAQs
    2. Instructor's Notes
      1. Instructor's notes on Positional Number Systems and Boolean Algegra
      2. Instructor's notes on TCPdump commands and filters
      3. Instructor's study guide to selected reading assignments
    3. Instructor's Online Resources
      1. Better Than Nothing Security Practices
      2. The Packet Pal Primer (an Internet Protocol Resource)
      3. The CGI-Bin Bin (a guide to CGI programming circa 1996
      4. The World Wide Web Test Pattern (find out what the 1990's browser wars were about interactively)
    4. Instructor's TCP/IP Lecture Slides (CS448/648 & CS449/649)
      1. IPv4
      2. TCP/UDP
      3. ICMP
      4. DNS-ARP
      5. HTTP
      6. BGP
      7. IPsec
      8. Instructor's Online Packet Guide: Packet Pal Primer
  2. Useful Online References:
    1. TCP/IP References
      1. Charles Kozierak's TCP/IP Guide (online): http://tcpipguide.com/free/
    2. Wireshark References
      1. Wireshark Capture Filter Expressions: http://wiki.wireshark.org/CaptureFilters
      2. Wireshark Sample Captures: http://wiki.wireshark.org/SampleCaptures#ARP.2FRARP
    3. Forensics Papers
      1. Carrier, Brian and Eugene Spafford, "An Event-Based Digital Forensic Investigation Framework"
      2. Carrier, Brian: "Degining Digital Forensic Examination and Analysis Tools"
      3. Carrier, Brian: "Performing an Autopsy Examination on FFS and EXT2FS Partition Images"
    4. Manuals
      1. WinDump Manual
      2. Notes on TCPdump and Windump
      3. Snort Commands
      4. ASCII Table
      5. Packet Pal Primer
      6. Berghel/Hoelzer: Pernicious Ports, CACM, December, 2005
      7. Wireshark Display Filters
    5. Trusted-Source Network in Digital Security
      1. Schneier on Security - the most accurate security blog on the internet
      2. Krebs on Security - the best general-purpose security blog on the internet
    6. Watchlist of Future Threat Vectors
      1. Election Fraud and Digital Ballot Boxes:
        1. The Verified Voting Foundation
        2. The VVF's Principles for Voting Systems
      2. The NSA ANT Catalog
      3. CIA Tradecraft DOs and DONT's for Malware Development (text; src: Wikileaks; cf. esp. "(U) Networking"). See also Helpful(?) coding tips from the CIA's school of hacks, Ars Technica, March 8, 2017
      4. The NSA's Media Engagement (aka: Deception) Plan
      5. Micah Lee, It's Impossible to Prove your Laptop hasn't been Hacked.....", The Intercept, April 28, 2018.
      6. Micah Lee, Edward Snowden's New App uses your smartphone to physically guard your laptop, The Intercept, December 27, 2017.
    7. Interesting Digital Archives
      1. IEEE Computer Society's Computing Conversations by Chuck Severance
      2. AT&Ts Tech Channel
    8. Dan Kaminsky's Black Ops Series
    9. Relevant Videos
      1. Whitfield Diffie: Information Security - Before and After Public-Key Cryptography; Computer Museum
      2. Warriors of the Net (video)
      3. Vint Cerf on the History of Packets(video)
      4. The Cloud Conspiracy 2008-2014 by Calpar Bowden[31c3, Dec. 2014]
      5. NSA: Tell No One by James Bamford [31c3, Dec. 2014]
    10. Innervation
      1. Dr. Chuck's iPad Steering Wheel Mount
      2. the ill-fated Clipper Chip
    11. Miscellaneous
      1. PRPL's: Security Guidance for Critical Areas of Computing, January, 2016
      2. Dylan Curran, Are you ready? Here is all the data Facebook and Google have on you, The Guardian, March 30, 2018
      3. Bruce Schneier: The Security Mirage (Online TED presentation)
  • Recommended References: (although not required, these are standard references for computer and Internet forensics).
    1. Brian Carrier, File System Forensic Analysis, Addison-Wesley, Reading
    2. Charles Kozierok, TCP/IP Guide, NoStarch Press, San Francisco (2014)
    3. Sherri Davidoff and Jonathan Ham, Network Forensics: Tracking Hackers through Cyberspace, Prentice-Hall (2012)
    4. Laura Chappell, Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide, Laura Chappell University (2010)
    5. Laura Chappell, Wireshark Network Analysis, 2nd ed., Chappell University (2012) [she has several good books on Wireshark, but this is the best IMHO]
    6. Charles and Shari Pfleeger, Security in Computing, Prentice Hall (2007)
    7. Gordon Fyodor Lyon, NMAP Network Scanning, Nmap Project (2009) (partially online @ nmap.org)
    8. John Vacca (ed.): Computer and Information Secutiy Handbook, Elsevier (2013) [a useful, encyclopedic approach]
    9. Dave Roberts, Internet Protocols Handbook, Coriolis Group (1996) [an oldie and a goodie - still a useful introduction to TCP/IP. If you can find this in a used bookstore for a few bucks, grab it - it's still a handy (if outdated) reference]
    10. Ferrara, et al, CyberLaw: Text & Cases, SouthWestern Cengage Learning, 3rd ed, 2012.
    11. Abraham Wagner and Nicholas Rostow, Cybersecurity and Cyberlaw, Carolina Academic Press, 2020.

    ABET Course Outcomes

    By the end of the term, you will:

      Part I: Network Forensics

    1. Understand Core TCP/IP Protocols
      • Understand the operation of packet-based switching networks
      • Understand common network topologies
      • Understand the fundamentals of packet analysis in threat detection
      • Understand anomalous packet traffic and the role of RFCs in defining Internet Protocols
      • Understand the OSI and TCP/IP network models and their inter-relationship
      • Understand how ARP and DNS function
      • Understand the role of data fields and flags within TCP/IP packets
      • Understand the TCP 3-way handshake
    2. Understand the use of Packet Analysis and Packet Crafting in Digital Forensics
    3. Understand Common Threat Vectors
    4. Understand Common Mitigation Strategies
    5. Understand Anti-Forensics Strategies
      • Metasploit Project
      • anonymizing
      • onion routing and TOR
      • remailing
      • Understand Encryption

      Part II: Computer Forensics

    6. Understand Computer Forensics
    7. Understand the use of Digital Forensics in:

    ABET Core Competencies

    1. An understanding the implications, remediation, and avoidance strategies of digital security breaches
    2. Situational awareness of the use of forensics by law enforcement, intelligence agencies, military, terrorists, criminals, and state sponsors.
    3. The ability to distringuish between types of digital forensics, and understand capabilities of each..
    4. You will develop a working knowledge of computer and network forensics and their tools
    5. You will be able to work within a digital security environment
    6. You will understand some of the digital/electronic/computing/networking technologies behind digital forensics


    note: The UNLV IEEE Xplore digital library institional license (ieeexplore.ieee.org from any UNLV IP address) and UNLV ACM digital library institutional subscription (dl.acm.org from any UNLV IP address) may be used to access IEEE and ACM assigned readings. In both cases use the title as the search term. Whenever possible, I will provide alternative convenient links consistent with copyright, but I cannot guarantee the persistence of the links.

    note 3: Refer to the Instructor's Study Guide to selected assigned readings in preparation for exams.

    Weeks of January 16& 23: Basic Digital Media Forensics

    Week of January 30: Covert Data Hiding on Digital Media

    TCP/IP Protocols (We will move through all of the following TCP/IP protocols, in order, in the following lectures beginning immediately after the lectures on covert data hiding.)

    NOTE: Brimg a copy of the SANS IPv4 TCP/IP and tcpdump Pocket Reference Guide to class for all of the forthcoming lectures on protocols. For your online convenience, feel free to use my The Packet Pal Primer .

      Week of February 6: the IPv4 Protocol: Lecture Notes

      Week of February 13: the TCP and UDP Protocols: Lecture Notes

      Week of February 20 and February 27: the ICMP Protocol Lecture Notes
      • Homework: Complete this worksheet on packet dissection: Instructor will review worksheet in class on 2/22.

    March 1 - Exam 1 -Exam is "closed everything": e.g., "closed book," "closed notes," PDAs and computers turned off, cell phones off, etc. The detection of any mobile device in use will result in an exam grade of F. Questions will come from 3 sources: lectures, assigned readings, and homework. Make sure to confirm that you have the latest revision of the study guide: 011923 or later.

    Week of March 6: the DNS and ARP Protocols: Lecture Notes

    Week of March 13: the HTTP Protocol Lecture Notes

    March 20: Packet Analysis with Wireshark & TCPdump

    March 22 & 27: Stuxnet: Lecture Notes

    FINAL EXAM: t.b.d.

    (All Exams will be "closed everything": e.g., "closed book," "closed notes," PDAs and computers turned off, cell phones off, etc. Final Exam is cumulative and will cover all assigned course materials during the semester (except materials marked "supplementary").